General Info

File name

psiphon3.exe

Full analysis
https://app.any.run/tasks/dc588b2b-e948-47fc-8b2f-8666d1529a00
Verdict
Malicious activity
Analysis date
8/13/2019, 17:06:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

16b965cb5539f58b273cb327c88524d8

SHA1

54ccc518f4c032909211229ded7a7b63f19b28e0

SHA256

7d364bb999bd7cf126f5ae35c7cc80de32a112bafb8cfa7d4f0533348949b994

SSDEEP

98304:T5XQQR6sdk08XmikVoyr3ob7qMK+Mg7kgFbMQptxiBmiKj8uuYZT+hBJ:T5XQQR6ok8ikgb6XqbXxamisuY9CBJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • psiphon-tunnel-core.exe (PID: 3376)
Reads Internet Cache Settings
  • rundll32.exe (PID: 2628)
  • psiphon3.exe (PID: 304)
Executed via COM
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3740)
Starts Internet Explorer
  • psiphon3.exe (PID: 304)
Uses RUNDLL32.EXE to load library
  • psiphon3.exe (PID: 304)
Reads internet explorer settings
  • psiphon3.exe (PID: 304)
Creates files in the user directory
  • psiphon-tunnel-core.exe (PID: 3376)
  • psiphon3.exe (PID: 304)
Executable content was dropped or overwritten
  • psiphon3.exe (PID: 304)
Reads settings of System Certificates
  • iexplore.exe (PID: 388)
Reads Internet Cache Settings
  • iexplore.exe (PID: 388)
  • iexplore.exe (PID: 1252)
Creates files in the user directory
  • iexplore.exe (PID: 388)
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3740)
  • iexplore.exe (PID: 1252)
Changes internet zones settings
  • iexplore.exe (PID: 388)
Application launched itself
  • iexplore.exe (PID: 388)
Reads internet explorer settings
  • iexplore.exe (PID: 1252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   UPX compressed Win32 Executable (43.5%)
.exe
|   Win32 EXE Yoda's Crypter (42.7%)
.exe
|   Win32 Executable (generic) (7.2%)
.exe
|   Generic Win/DOS Executable (3.2%)
.exe
|   DOS Executable Generic (3.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:08:09 02:59:44+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
6209536
InitializedDataSize:
90112
UninitializedDataSize:
11902976
EntryPoint:
0x11467e0
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Aug-2019 00:59:44
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000120
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
09-Aug-2019 00:59:44
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x00B5A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x00B5B000 0x005EC000 0x005EBC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.9305
.rsrc 0x01147000 0x00016000 0x00015C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.48738
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

131

132

133

146

147

COUNTRY_DIALING_CODES.JSON

BANNER.PNG

FLAGS32.PNG

FLAG_UNKNOWN_32.PNG

FLAG_UNKNOWN_64.PNG

ICOMOON.EOT

LOGO-BW.PNG

LOGO.PNG

MAIN.HTML

Imports
    KERNEL32.DLL

    ADVAPI32.dll

    COMCTL32.dll

    CRYPT32.dll

    GDI32.dll

    ole32.dll

    OLEAUT32.dll

    RASAPI32.dll

    SHELL32.dll

    SHLWAPI.dll

    USER32.dll

    VERSION.dll

    WINHTTP.dll

    WININET.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

+
drop and start start psiphon3.exe psiphon-tunnel-core.exe rundll32.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
304
CMD
"C:\Users\admin\AppData\Local\Temp\psiphon3.exe"
Path
C:\Users\admin\AppData\Local\Temp\psiphon3.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\vgx\vgx.dll
c:\windows\system32\atl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\windows\system32\d3dim700.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\propsys.dll
c:\program files\internet explorer\iexplore.exe

PID
3376
CMD
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat"
Path
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2628
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

PID
388
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=NO&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
1252
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:388 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\feclient.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\t2embed.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll

PID
3740
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

Registry activity

Total events
680
Read events
554
Write events
124
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipBrowser
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipProxySettings
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipAutoConnect
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableFileTracing
0
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableConsoleTracing
0
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileTracingMask
4294901760
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
ConsoleTracingMask
4294901760
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
MaxFileSize
1048576
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileDirectory
%windir%\tracing
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
NativeProxyInfo
{"proxies":[{"bypass":"","flags":1,"name":"","proxy":""}]}
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableFileTracing
0
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableConsoleTracing
0
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileTracingMask
4294901760
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
ConsoleTracingMask
4294901760
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
MaxFileSize
1048576
304
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileDirectory
%windir%\tracing
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePrefix
DOMStore
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheLimit
1000
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheOptions
8
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheRepair
0
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en"}
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en","AvailableEgressRegions":["AT","BE","BG","CA","CH","CZ","DE","DK","ES","GB","HU","IN","IT","JP","NL","NO","PL","RO","SE","SG","SK","US"]}
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
PsiphonProxyInfo
{"proxies":[{"bypass":"<local>","flags":2,"name":"","proxy":"http=127.0.0.1:49594;https=127.0.0.1:49594;socks=127.0.0.1:49593"}]}
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
46000000080000000200000040000000687474703D3132372E302E302E313A34393539343B68747470733D3132372E302E302E313A34393539343B736F636B733D3132372E302E302E313A3439353933070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49594;https=127.0.0.1:49594;socks=127.0.0.1:49593
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000930000000200000040000000687474703D3132372E302E302E313A34393539343B68747470733D3132372E302E302E313A34393539343B736F636B733D3132372E302E302E313A3439353933070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000940000000200000040000000687474703D3132372E302E302E313A34393539343B68747470733D3132372E302E302E313A34393539343B736F636B733D3132372E302E302E313A3439353933070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
304
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000950000000200000040000000687474703D3132372E302E302E313A34393539343B68747470733D3132372E302E302E313A34393539343B736F636B733D3132372E302E302E313A3439353933070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49594;https=127.0.0.1:49594;socks=127.0.0.1:49593
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000960000000200000040000000687474703D3132372E302E302E313A34393539343B68747470733D3132372E302E302E313A34393539343B736F636B733D3132372E302E302E313A3439353933070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{FA8EE394-BDDB-11E9-9885-5254004A04AF}
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000F00060034006902
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000F00060034006902
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000F00060034004403
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
10
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000F00060034009203
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
86
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000F00060035007500
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
29
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F00060037008501
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
2
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F00060038002103
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
3
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F00060039008800
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
388
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
EC6544C0E851D501
388
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
1252
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814
1252
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
1252
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
1252
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
1252
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
1252
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829

Files activity

Executable files
1
Suspicious files
0
Text files
43
Unknown types
12

Dropped files

PID
Process
Filename
Type
304
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
executable
MD5: a33148c5ff0767f91bfbaf81418fc81f
SHA256: ad17faa17e65e4f0ed96b557754e005b78b18528d54a166d2275e5b39115aacd
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\main[1]
html
MD5: 29fa264cb54df50df777f2f4f6154a1c
SHA256: 8caaaae2aa224ffec4f598a7ad44236b3f65bc4089c3cc0492c31d5a448d3da0
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 4c6763c9a9becfd0d243f50f7115a523
SHA256: adf2015366c847542f091cfaf4f890890e9be4793f6e28abaa181d3c7b72aa3a
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 2578a9b85c9e1e3e59a3392ad632813f
SHA256: a8fea5503dea474f8be2fa57f07707e936e2e47c96c7edc7c61c2fb33a7e5148
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\eye-slash-solid[1].svg
image
MD5: 840854d88ac97a13506c47ef3222cf09
SHA256: 1b9451f35241c667692568e5d5c004a81177cbdec4a30861a7c5103eb5080bbe
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\p_icon[1].png
image
MD5: 902d20d8dc9829aff0f8b7db8c8a6da6
SHA256: 4b68751c69ccabff708fa7d42300db5e2539046d79886f119e94495385e9c27c
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\js[2]
text
MD5: 0743ac4ebfb71a960d4c27e982841e18
SHA256: 331ce745672b322a52391b0cbd1e10dbf29bfb57bb6a777a960b3e2ce7b8f6cc
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\psiphon1[1].txt
––
MD5:  ––
SHA256:  ––
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\psiphon1[1].htm
html
MD5: 493b05b1fac62698b139890b7343b479
SHA256: 636780cedceec3d59fb2132089ac6c8953a02dd60e5122fce23857f98df5af45
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: f56dd925f8c2c7d561cf2cd67ca3d229
SHA256: cf8e966f59c0e525bf9318671174c6141e0cffd1ec2e9a950a1089854a9da17a
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\js[1]
text
MD5: 0743ac4ebfb71a960d4c27e982841e18
SHA256: 331ce745672b322a52391b0cbd1e10dbf29bfb57bb6a777a960b3e2ce7b8f6cc
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\firebase.notifications[1].js
text
MD5: 24cea24bd6c941d1c006a55c4737b02b
SHA256: 171c4a3b766b16431c79c89449ddead0280392e61e75675252d797703808238c
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: b58c54c2a0a5aedff07471356ca7b967
SHA256: 38d261f74e06761e6328b70559a1f42a097d2ed4eb19ad5766cf7381c7f107ed
3740
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\firebase.notifications.init[1].js
text
MD5: 0424f6b44d04e5b838bf3585c78a7f61
SHA256: 3c056e894c4aeff9c40877c1d7a92b746dd87153acb51a44735e13d158e6aa3b
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\sky_content_light[1].png
image
MD5: 6002338e17c7a484fbdcf5b941a12214
SHA256: ec6c69329662f458ee7d24892e0a1d2540f16cb375ce5ad972e6a58b5ecd1e8b
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\NGS3v5_NC0k9P9l1aqRMkKo[1].eot
eot
MD5: 65b6c9c9b81c4e91ae05652251daad4f
SHA256: cdb425d2e610ddc90b222e2eb6a4a838bc9414a65304653eb3399e097f49ca0a
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\1Ptug8zYS_SKggPNyC0ISw[1].eot
eot
MD5: e18be132ed71498dc498dcc99fe144b2
SHA256: 07c1c301fe55759d09cd30a4a0276dea43c3c7286a1448d03aacd16dd57d6214
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\analytics[1].js
text
MD5: a477b40dcc869e74d6414e8e42e36844
SHA256: cec3748d0c3da4700300d5424aaea375b03550b0ee8b3dd38e242c4022261446
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 774e6b12129f24b6b01f049db5c05aaf
SHA256: 31bb5a45e7204420c30f598c567d002c07c73ddb4a1d3fc2903c4003ce40e0ea
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\OpenSans-Regular[1].ttf
ttf
MD5: 629a55a7e793da068dc580d184cc0e31
SHA256: e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
gmc
MD5: ce338fe6899778aacfc28414f2d9498b
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\f[2].txt
text
MD5: 0eaf6b9813845f03c6227ca78f043d07
SHA256: 433708592d444e9cf81326795e0d23ffdfedc716fb428fbfd45d696880394107
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\f[1].txt
––
MD5:  ––
SHA256:  ––
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\gtm[1].js
text
MD5: ecb1cb08c0960cbff80f79f1eb7691b7
SHA256: 9b4e2bef5a32d1e914922371e278cc224d894f6625e6d3eafe9c485b42db1695
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\css[1].txt
text
MD5: 3a8d3cea05b9104d51a32cddfe536f0a
SHA256: 4a2a7be112c9ce57d829b70dd9259bbf3792b1c7fd4a62adaab0bbf092d4a660
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\js[1]
text
MD5: 9918e0d1d18422f0d3d424db83ba8da1
SHA256: de8ab9abafd885126cf43fdcd5f93cd1d7332fca5b6ad5c40f91b773cd62ba1c
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\wow[1].js
text
MD5: 164b265e6089f412b7927848018ae6a1
SHA256: 81c4cb0bc57b5cce1816bd704f7a2b12ec2b143c6a067402644d4a139b273350
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\animate[1].css
text
MD5: e32406757509a6ac508ef9180712829f
SHA256: b75f6d25cc96d0dc468811273d2107eddb498b79f0b4e66125b459ddf9600ffd
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\location_concealment[1].js
text
MD5: 0c5a90b68bd54a7c580a543f40a1e4d9
SHA256: 8d4e4f70dbee652f6a6205322477837341d4a750c03327594af9fe40921840c7
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\style-black-footer[1].css
text
MD5: 5cf5ea6d4374871d8a6ed1d2722e215c
SHA256: dbd74fdd3154a60bd1e189eb52675a7288764f84cbab7fb922716d72707ce222
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\psyphon[1].css
text
MD5: ee52a295a064efc16fc107e2b9494058
SHA256: 9720bbfd656c447a71f3cc16268cc3b4211c3dcac6f282fc6c11d407c8831b63
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\app[1].js
text
MD5: 72bfa1f7be392f89e3c24711b6a31f1b
SHA256: 7606b8dd0a5f8d229a765fbcc396f047b2111050f7977ba3e580f30d23b8da1d
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\app[1].css
text
MD5: 88c53847778dc60bef90e07f6a065c76
SHA256: d19ce95b781d933897fa2295294b59d24c5835dfa3bf5580bce2e417a91481a3
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\psiphon1[1].txt
––
MD5:  ––
SHA256:  ––
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\psiphon1[1].htm
html
MD5: 493b05b1fac62698b139890b7343b479
SHA256: 636780cedceec3d59fb2132089ac6c8953a02dd60e5122fce23857f98df5af45
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: bf4cd1a06844234e26555ef40d13919f
SHA256: 9b9271a6f705e451c1a8942d80dcc656769c4194ac9f1ae81f73b9f4b4576171
1252
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: 9fa1ce243de449027fcc8817447bf87a
SHA256: 72b67427ea8a2f7f3c1caad6453ce71534dc05930f43d340635a684582a74277
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 9c38d08ee645cbf750b321f8b2fe5256
SHA256: e64e4f73774b6d50afd2ba8eb5422d239da877bf13b9046f16bcd7a07846474e
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: d161b32fe1f459d8be8b85a191c33eed
SHA256: ca5e0d0b076491571280d8c0b31554c4d367ee593b2b5b114e09939c407c782f
1252
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
388
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
388
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
388
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2628
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSQAXMZM\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\logo[1]
image
MD5: 42b90e10a6a86254d31b696c5d2ec425
SHA256: 4b384b1c9bbeefda045465fc5aede6cce7a0312625bef497fb6c8d5e8c715389
2628
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\87DTBSUO\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2628
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QKNP5BL6\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2628
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB1GE3AZ\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2628
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 47e6bf24c23879a634f8f2be358d6664
SHA256: d27df37a592befb9906ea467502b7820c03a8ebf835216130a2d834695751cbf
388
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 5c3865afc86b0e5fe4da9987913f62a3
SHA256: 290b14a559e805fd4351f422ca291849050d76b0613c561103b1ad8d07b84352
304
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config
text
MD5: c122c17b48f04d3e6a28a6b218a451e5
SHA256: 920c1c27f9d670b7d89dacc8f23f0f9ecbf4833f3291157c743a2e880b1847ec
304
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat
text
MD5: 72dcad760a5687fbfd219ddb0600e752
SHA256: 6fcdc2a54cb8f79a48e3cf1941f1c6049f7e5080781f0f0ead339b979e46da4b
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\flag_unknown_32[1]
image
MD5: 0e23864908aa82dcfa6cf76bd308a498
SHA256: 2bf319d0025d275df9da396e238377460d9b562bb2f11bb0d9dab23981e79cfd
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\banner[1]
image
MD5: 08b36b5183a2f59ea4b945e69d1dc56f
SHA256: f1f61a3fde6beaf0f24ac19a729d6e596ab305bdfe2e0f75a69c5157f2495101
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\flags32[1]
image
MD5: 3e6527267c26712bd0cea85727fb07f5
SHA256: bed94eb6c145a484b67f6a8281183cb8fba27e2bd91e1e9c95dd2b843fe87784
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\logo-bw[1]
image
MD5: e3c5eb232471c89b49fa8b3e2ee8f1c2
SHA256: a3d3a9bdd3ce2a712438b0222fa66cf0b998f728fec3a9586b8dac00de4a41dd
304
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\datDC20.tmp
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
304
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\icomoon[1]
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
388
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: c7ea8eacb952e2dd8efb4b97d37c037d
SHA256: 52426a022dd3131f7cdcd711b7dfbfc2479c6d838dcd8ae55157ffa19f62a91a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
3
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3376 psiphon-tunnel-core.exe POST –– 2.16.186.89:80 http://www.stealthbuddiesparis.com/ unknown
binary
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3376 psiphon-tunnel-core.exe 151.101.0.179:443 Fastly US suspicious
3376 psiphon-tunnel-core.exe 151.101.1.194:443 Fastly US suspicious
3376 psiphon-tunnel-core.exe 45.33.13.15:443 Linode, LLC US unknown
3376 psiphon-tunnel-core.exe 178.79.131.219:443 Linode, LLC GB unknown
3376 psiphon-tunnel-core.exe 87.101.94.42:22 –– unknown
3376 psiphon-tunnel-core.exe 104.18.152.190:443 Cloudflare Inc US unknown
3376 psiphon-tunnel-core.exe 77.68.40.67:443 1&1 Internet SE GB unknown
3376 psiphon-tunnel-core.exe 178.62.40.168:53 Digital Ocean, Inc. GB unknown
3376 psiphon-tunnel-core.exe 212.227.200.149:443 1&1 Internet SE DE unknown
3376 psiphon-tunnel-core.exe 37.46.114.57:443 AltusHost B.V. BG unknown
3376 psiphon-tunnel-core.exe 194.79.31.91:22 M247 Ltd GB unknown
3376 psiphon-tunnel-core.exe 2.16.186.89:80 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
prod.global.fastly.net 151.101.0.179
151.101.64.179
151.101.128.179
151.101.192.179
whitelisted
prod.global.ssl.fastly.net 151.101.1.194
151.101.65.194
151.101.129.194
151.101.193.194
whitelisted
a1301.g.akamai.net 2.16.186.89
2.16.186.81
unknown

Threats

No threats detected.

Debug output strings

Process Message
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe